Bypass Rate Limit — A blank space leads to this random encounter!
Hello All, Hope you are having a great time!
Let me get straight into the vulnerability that I’ve found. There is a website named “example.com”, I cannot disclose the name of the site yet. As I was testing through the login functionalities, I tried resetting the password. The functionality was like, when I request for password reset the server sends OTP to my email and mobile number.
Lucky me have added my mobile number there or I would not have found this issue(-you will understand this as we go along-). So Sometimes LUCK plays a major role in Bug Bounty ~
At first, I just sent the password reset request to Intruder and tried with null payloads, adding arbitrary values etc.., — but failed as it has rate limiting enabled after 20 requests. So I tried by adding X-Forwarded-Host:127.0.0.1 , X-Forwarded-Client, X-Client-IP and all other header stuffs which didn’t work either. So I tried with IP Rotate(a Burp Extension- which allows you to easily spin up API Gateways across multiple regions) which failed as well, as it was not IP based. But something (strong gut feel ) made me work on it again and again. So I tried with adding %00 ( null byte at the end of email )and other encoded chars which didn’t work too.
The Lucky part ~
That’s when I remembered reading a blog that adding a space at the end of the email may help to bypass rate limiting, which failed initially. To my luck I created one account (without mobile number) and, as I occasionally use this website for booking activities I already had my personal account(one with phone number verified) .
The Request and Response without space-
I was testing the whole time with the test account and I randomly(Lucky me) chose my personal account and added a space at the end of my email and saw that the OTP are not sent to my email (as there is space at the end), but as the mobile number is associated with the email, the OTP’s were sent to my mobile. ~ Bypassed ~
The Request and Response after adding space-
With the help of this bug, I was able to Bypass rate limiting and send huge requests to the victim’s mobile number, and I know this might not be a big vulnerability, but I hope this kind of little things might help you in different scenarios as you go along the Bug Hunting Journey.
I do welcome suggestions and corrections as I may not be all right, as I am still learning things.
